Analysis
-
max time kernel
11s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 09:13
Static task
static1
Behavioral task
behavioral1
Sample
autoit.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
autoit.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
autoit.exe
-
Size
508KB
-
MD5
43ce7ceee77fe0cb1223b145b14e6a46
-
SHA1
e4bf053b72e8d89fad755066fc10b5d084cd6ef7
-
SHA256
1a5b9a975aa208c1d74a20c5cbba9590315c9b3b554215285f648a73a1b5ccd4
-
SHA512
3d41db321c3691a3cd61a078bb6e95cf35065e949dba2841a3b09ee408c10e1b9af59680996c31684f1da77f1bab26d6642c7af3391be2d78e5dce069114711f
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
autoit.exepid process 3968 autoit.exe 3968 autoit.exe 3968 autoit.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
autoit.exepid process 3968 autoit.exe 3968 autoit.exe 3968 autoit.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
autoit.exedescription pid process target process PID 3968 wrote to memory of 1088 3968 autoit.exe cmd.exe PID 3968 wrote to memory of 1088 3968 autoit.exe cmd.exe PID 3968 wrote to memory of 1088 3968 autoit.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\autoit.exe"C:\Users\Admin\AppData\Local\Temp\autoit.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\instalar.bat2⤵PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1088-114-0x0000000000000000-mapping.dmp